How to fix sanitize the parameters of SqlCommand?

Question

My code is like this:

string groupQuery= blabla;
string WhereQuery= blabla;
string cmt= String.Format("selecte * from Customer {0}{1} order by CustomerName", WhereQuery, groupQuery);
SqlCommand cmd1=new SqlCommand(cmt);

everything is working fine. But

at SqlCommand(cmt); Visual studio sugest me to "Make sure to sanitize the parameters of this SQL command"

How can I fix it?

Ramesh Palanivel · Answer

Hi darma In your code  tring groupQuery= blabla; string WhereQuery= where delete * from customers; string cmt= String.Format(selecte * from Customer {0}{1} order by CustomerName WhereQuery groupQuery); SqlCommand cmd1=new SqlCommand(cmt); Try and check what you will get here..

darma teja · Answer

I am not passing any parameters here.

Ramesh Palanivel · Answer

Hi darma Yes I understand. You are not using any parameters. But here You are using where condition. In that where condition someone can inject your query. example lets assume if you have input box to search records in your page if user enter Delete * from Customer what will happen in that. So the reason it asks you to use parameter with value. Understand?

Ramesh Palanivel · Answer

Hi Darma Its asking you to use Parameter with value to avoid Sql injection.